Shade Ransomware (Oct 7th, 2016)


The Dell Sonicwall Threats Research team have observed a Ransomware Trojan that has been in existence for over a year and is still actively spreading in the wild. It spreads via malicious websites that use exploit kits and also infected email attachments. It is believed to be Russian in origin and has spread mostly in Russia.

Infection Cycle:

The Trojan uses the following icon:

Below is a sample of DNS queries made by the Trojan:

The Trojan adds the following keys to the registry:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Client Server Runtime Subsystem %ALLUSERSPROFILE%Application DataWindowscsrss.exe
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun NetworkSubsystem %ALLUSERSPROFILE%Application DataCsrsscsrss.exe
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun CSRSS %ALLUSERSPROFILE%Application DataDriverscsrss.exe

The Trojan adds the following files to the filesystem:

  • %USERSPROFILE%Local SettingsTemp4C7E0EC.exe [Detected as GAV: FileCryptor.LJR (Trojan)]
  • %USERSPROFILE%Local SettingsTempADADBC6C.exe [Detected as GAV: FileCryptor.GAP (Trojan)]
  • %ALLUSERSPROFILE%Application DataCsrsscsrss.exe [Detected as GAV: FileCryptor.LJR (Trojan)]
  • %ALLUSERSPROFILE%Application DataDriverscsrss.exe [Detected as GAV: FileCryptor.LJR (Trojan)]
  • %ALLUSERSPROFILE%Application DataWindowscsrss.exe [Detected as GAV: FileCryptor.LJR (Trojan)]

The readme files contain the following message:

      All the important files on your computer were encrypted.
      To decrypt the files you should send the following code:
      to e-mail address .
      Then you will receive all necessary instructions.
      All the attempts of decryption by yourself will result only in irrevocable loss of your data.
      If you still want to try to decrypt them by yourself please make a backup at first because
      the decryption will become impossible in case of any changes inside the files.
      If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),
      use the feedback form. You can do it by two ways:
      1) Download Tor Browser from here:
      Install it and type the following address into the address bar:
      Press Enter and then the page with feedback form will be loaded.
      2) Go to the one of the following addresses in any browser:

The links have been blocked at the time of writing this alert.

After each DNS request it makes the following HTTP GET request to each host:

The C&C server is located on the tor network where all communication is encrypted. An RSA-3072 public key is requested from the server:

The Trojan will then search the filesystem for files with predefined extensions and encrypt them using the RSA-3072 public key. Upon encrypting files it renames them using a filename similar to the following with a da_vinci_code extension:

  • WY4BA86OCcwPVkbdji2JiS888iAqO7jOnXtXvJtekBU=.0E7F1123D9BE734AF274.da_vinci_code

After encrypting these files it displays the following message on the desktop background:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

      GAV: Shade.A (Trojan)
      GAV: FileCryptor.LJR (Trojan)
      GAV: FileCryptor.GAP (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.